NEDNSProxy flood flow

Question

Created Feb ’21

Replies 1

Boosts 0

Participants 2

While working on NEDNSProxy* network extension I've noticed that during certain network change events DNS system is getting flooded with DNS requests from all kinds of applications. I guess that's normal and expected, however the API apparently doesn't attempt to control rate and the whole situation is quickly leading to "too many" open connections and blockage of the whole thing in addition to bloated memory and so on. Since we have UDP here there is always a certain amount of time involved while waiting for response (1-2 sec at least) and you may or may not get it after all. More specifically, this call seems to be the place where I should try to control the situation:

Code Block - (BOOL)handleNewUDPFlow:(NEAppProxyUDPFlow *)flow
   initialRemoteEndpoint:(NWHostEndpoint *)remoteEndpoint

Is there a recommended way to handle such situations? Should I start dropping those flows, adding a delay before processing them or both? What are the thresholds? Does this API have a capacity after which we know that it can't handle flows anymore? This all applies to regular AppProxy APIs too, I think.

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’21

Should I start dropping those flows, adding a delay before processing them or both?

One technique to use would be flow control to manage the amount of flows that are processed at one time. For example, hold a queue with ONLY x amount of flows in it and as new flows come in, add them to the back of the queue. When flows are closed, new ones are opened from the top of the queue and start the flow copying process starts again. That way you are controlling the traffic passing through the extension. Quinn has an excellent post on other flow controll techniques as well.

Does this API have a capacity after which we know that it can't handle flows anymore?

I am not aware of a documented capacity for this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0